On Feb 7, 2007, at 8:14 AM, Robert Story wrote:
You are quite right, however, that I would be daft to have a firewall
rule to a control port of a router that looked like 'good-guy.*
ALLOW'.
But that doesn't mean that the first use is unreasonable.
Actually, I would argue that the first use *is* unreasonable, absent
any more information than that the reverse record contains the string
"dialup." For example, what if it contains "dialup-mailserver?"
What is reasonable, and what is helpful to me about reverse zone
data, is that it gives me a hint as to where to look to see who's
talking to me. I can check the forward to see if the reverse is a
lie or not. It's not secure, but it's fairly dependable, and it's
very helpful for debugging. OTOH, you'd be insane to put the
contents of the reverse lookup in your logs without the IP address
alongside it, because it's not trustworthy.
To me, that is the sole use of reverse lookups. It is useful, and
it's good if people populate the reverse tree as a habit because it
helps in this way. But it is entirely correct to say that using the
contents of the reverse tree to make automatic decisions is a mistake.
_______________________________________________
DNSOP mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dnsop
